Encapsulate ESP packets within TCP headers
FortiOS includes a proprietary solution to support the encapsulation of Encapsulating Security Payload (ESP) packets within Transmission Control Protocol (TCP) headers. This allows ESP packets to be assigned a port number, which enables them to traverse over carrier networks where direct IPsec traffic is blocked or impeded by carrier-grade NAT.
This feature only works with IKE version 2, and it does not support ADVPN. |
To configure the TCP port for IKE/IPsec traffic:
config system settings set ike-tcp-port <integer> end
ike-tcp-port <integer> |
Set the TCP port for IKE/IPsec traffic (1 - 65535, default = 4500). |
To configure ESP encapsulation on the phase 1 interface:
config vpn ipsec phase1-interface edit <name> set ike-version 2 set transport {auto | udp | tcp} set fortinet-esp {enable | disable} set auto-transport-threshold <integer> next end
transport {auto | udp | tcp} |
Set the IKE transport protocol.
|
fortinet-esp {enable | disable} |
Enable/disable Fortinet ESP encapsulation. |
auto-transport-threshold <integer> |
Set the timeout before IKE/IPsec traffic falls back to TCP, in seconds (1 - 300, default = 15). |
In the GUI, the VPN Wizard can be used to set the IKE transport protocol.
To set the IKE transport protocol in the GUI:
-
Go to VPN > VPN Wizard.
-
Enter a Tunnel name.
-
For Select a template, select Site to Site, and click Begin.
-
Configure the Remote Site settings as required, and click Next.
-
Under VPN tunnel, set the Transport protocol as needed.
The Use Fortinet encapsulation option displays only when Transport is set to TCP encapsulation. See Encapsulate ESP packets within TCP headers for more information.
When Transport is set to Auto, you can adjust the threshold for switching to TCP encapsulation by using the
set auto-transport-threshold
command. -
Configure the remaining settings as needed.
TCP encapsulation of IKE and IPsec packets across multiple vendors
FortiOS supports TCP encapsulation of IKE and IPsec packets across multiple vendors. This cross-vendor interoperability ensures that you can maintain a secure and efficient network, while also having the flexibility to choose the hardware that aligns best with your requirements.
IKE and ESP will be encapsulated into TCP and ESP packets will be encapsulated into a real TCP header. This is because Fortinet Inc. ESP encapsulation is not enabled, and therefore, anti-replay does not need to be disabled. |
To configure ESP encapsulation for cross-vendor interoperability:
-
Configure the IKE TCP port setting.
-
Configure the IPsec phase 1 settings and do not set
fortinet-esp
toenable
. This is disabled by default. -
Configure the IPsec phase 2 settings.
Example
In this example, IPsec VPN crosses over a carrier network and UDP packets are not allowed.
To encapsulate ESP packets within TCP headers:
-
On each FortiGate, configure the IKE TCP port setting:
config system settings set ike-tcp-port 1443 end
-
Disable anti-replay in the global settings on the FGT_B (NAT) FortiGate (see step 7 for more information):
config system global set anti-replay disable set hostname "FGT-B" end
-
Configure the FGT_A (spoke) FortiGate.
-
Configure the IPsec phase 1 settings:
config vpn ipsec phase1-interface edit "spoke" set interface "wan1" set ike-version 2 set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set transport tcp set fortinet-esp enable set remote-gw 173.1.1.1 set psksecret ********** next end
-
Configure the IPsec phase 2 settings:
config vpn ipsec phase2-interface edit "spoke" set phase1name "spoke" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set src-subnet 10.1.100.0 255.255.255.0 next end
IKE and ESP will be encapsulated into TCP, and ESP packets encapsulated into a fake TCP header.
-
-
Configure the FGT_C (spoke) FortiGate.
-
Configure the IPsec phase 1 settings:
config vpn ipsec phase1-interface edit "Spoke" set interface "wan1" set ike-version 2 set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set transport auto set fortinet-esp enable set auto-transport-threshold 10 set remote-gw 173.1.1.1 set psksecret ********** next end
-
Configure the IPsec phase 2 settings:
config vpn ipsec phase2-interface edit "Spoke" set phase1name "Spoke" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set src-subnet 192.168.4.0 255.255.255.0 next end
IKE will use UDP encapsulation first. If it fails to establish in 10 seconds, it will fall back to TCP. ESP packets are encapsulated into a fake TCP header.
-
-
Configure the FGT_D (hub) FortiGate.
-
Configure the IPsec phase 1 settings:
config vpn ipsec phase1-interface edit "Hub" set type dynamic set interface "port25" set ike-version 2 set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set dpd on-idle set transport tcp set fortinet-esp enable set psksecret ********** set dpd-retryinterval 60 next end
-
Configure the IPsec phase 2 settings:
config vpn ipsec phase2-interface edit "Hub" set phase1name "Hub" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 next end
-
-
Verify the IPsec VPN tunnel state on FGT_D (hub):
# diagnose vpn ike gateway list vd: root/0 name: Hub_0 version: 2 interface: port25 33 addr: 173.1.1.1:1443 -> 173.1.1.2:23496 tun_id: 173.1.1.2/::10.0.0.4 remote_location: 0.0.0.0 network-id: 0 transport: TCP created: 733s ago peer-id: 11.101.1.1 peer-id-auth: no nat: peer PPK: no IKE SA: created 1/1 established 1/1 time 0/0/0 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms id/spi: 3 f050ac7a151a3b31/3b46b71108eea2e2 direction: responder status: established 733-733s ago = 0ms proposal: aes128-sha256 child: no SK_ei: 619dfbeb679345f7-531692a72da85727 SK_er: 5b6a1625b2ce71cf-13b339289ca99b9d SK_ai: a61818128c0d5390-b6d15cf9eb58e0f6-4e8c552e6265387b-4f79dc3acdd5d092 SK_ar: 64fb56b13ee65bd2-6ea1fb268b3ffad9-818c8e4d302a1176-c8978a8ce91d9856 PPK: no message-id sent/recv: 11/2 QKD: no lifetime/rekey: 86400/85396 DPD sent/recv: 0000000c/0000000c peer-id: 11.101.1.1 vd: root/0 name: Hub_2 version: 2 interface: port25 33 addr: 173.1.1.1:1443 -> 173.1.1.2:12186 tun_id: 10.0.0.4/::10.0.0.6 remote_location: 0.0.0.0 network-id: 0 transport: TCP created: 645s ago peer-id: 172.16.200.3 peer-id-auth: no nat: peer PPK: no IKE SA: created 1/1 established 1/1 time 0/0/0 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms id/spi: 17 7eb5a40cd324d2fc/f04fec6d8d77d996 direction: responder status: established 645-645s ago = 0ms proposal: aes128-sha256 child: no SK_ei: c1fe2027086b046b-0f15c6e2d25a255d SK_er: 3eac9a73b4dd2961-900c0af7f0e18abf SK_ai: e21ca3934cca7a85-af425d12baf40693-0c30e3f6d98a6a7d-273b33cc49155092 SK_ar: 1bef95d13784e8e1-9894c1b3628e158a-3cbfe4f7a730d9de-c9150844e3ff2002 PPK: no message-id sent/recv: 10/2 QKD: no lifetime/rekey: 86400/85484 DPD sent/recv: 0000000b/0000000b peer-id: 172.16.200.3
-
Verify the ESP packets sniffed on the NAT device.
In the packet capture, ESP packets are encapsulated into TCP ACK packets with the same sequence number. This is why anti-replay must be disabled on the NAT FortiGate.